December 3, 2011

How Carrier IQ was wrongly accused of keylogging

In just a few days, a startup company named Carrier IQ has been
subjected to extraordinary public vilification, with reports accusing it
of making a "rootkit keylogger" that "creeps out everyone" or is the "rootkit of all evil."
The only problem, which is always a risk when a public lynching takes place, is that Carrier IQ appears to be not guilty of the charges lodged against it.

The most serious charge against Carrier IQ, a venture capital-funded
startup in Mountain View, Calif. that makes diagnostic software for
carriers, has been that it records keystrokes and transmits them to
carriers. One article on a
Mac Web site breathlessly reported that "Carrier IQ Probably Violated Federal Wiretap Laws In Millions Of Cases."
Well, no. There's zero evidence that Carrier IQ captured, recorded, or
transmitted any keystrokes. But that didn't stop the self-appointed
lynch mob on blogs and on Twitter (#OccupyCarriers, that would be you).
Dan Rosenberg, an exceptionally talented security consultant who has discovered over 100 vulnerabilities in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ's software from his own
Android phones. He then analyzed the assembly language code with a debugger that allowed him to look under the hood.
"The application does not record and transmit keystroke data back to
carriers," Rosenberg told CNET. His reverse-engineering showed that
"there is no code in Carrier IQ that actually records keystrokes for
data collection purposes."
Carrier IQ has given Rebecca Bace,
a well-known security expert who's advised startups including Tripwire
and Qualys, access to the company's engineers and internal documents.
(Bace says she has no financial relationship with Carrier IQ.)
Bace told CNET that: "I'm comfortable that the designers and
implementers expended a great deal of discipline in focusing on the
espoused goals of the software -- to serve as a diagnostic aid for
assuring quality of service and experience for mobile carriers."
Andrew Coward, Carrier IQ's vice president for marketing, acknowledged
last night that the company may not have taken the best approach in
responding to public criticism, which started with a blog post by Trevor
Eckhart, a 25-year old system administrator in Connecticut who noticed
unusual software on HTC EVO devices. He dubbed
it a rootkit, leading to legal threats from Carrier IQ, an intervention
by the Electronic Frontier Foundation, and an embarrassing bit of backtracking a few days later.
Threatening to sue a security researcher, even a newly-minted one, isn't
exactly the way to make friends nowadays -- especially after the last
decade has seen a parade of ill-received threats from Cisco, HP, voting machine makers, and the Recording Industry Association of America.
That legal threat, not unreasonably, led critics to assume the worst.
"That's really been part of our challenge in responding to the
allegations," Coward told CNET. The company decided it needed to be more
forthcoming after "going back and saying, 'No, we don't, no we don't,'
which is where we started, didn't really work." (The company also
released a public statement yesterday.)
There's now a "vast misunderstanding of what we do," Coward says.
That Carrier IQ is innocent of the keylogging accusation, the most
serious charge, does not, however, mean there are no privacy concerns.
Coward acknowledged that the company's software, which is designed to be
installed by carriers, can report back what applications are being used
and what URLs are visited. Carrier IQ doesn't make these decisions;
rather, they sell configurable software and the carriers decide what
options to enable.
"It's up to them whether they do or don't collect that information," Coward says.
The information is used to summarize how the device is working so
carriers can improve their networks, he says. It also helps them when
they're forced to field calls from outraged customers wondering why
their handset keeps crashing or runs out of battery life in a few hours.
Typically the data dump to a carrier is configured to be sent daily,
either over Wi-Fi or the carrier's networks, Coward said. "The device
ends up storing about 200 kilobytes of data," he says. "That's typical
upload size. When it gets to the point that it's full, it'll do an
upload or it'll drop data and start wrapping and store summary
information." (Customers aren't charged for the upload, and it's
disabled when the phone is roaming.)
It's true that carriers already know what URLs you're visiting when you
use their network -- meaning that, in a way, Carrier IQ can be
configured to send them data they already have. Privacy concerns arise
when a list of URLs is stored on the device and accessible to forensic
analysis, or when a list of URLs visited on a Wi-Fi network is
transmitted. (Remember, Apple's log of locations accessible to forensic
analysis landed it in hot water earlier this year.)
In this case, the software can be configured to send data directly to
the carriers or to Carrier IQ's data center. "The data is not controlled
by us, regardless of which model is used," Coward says. "We have no
rights to the data. We cannot sell it, lease it, rent it, share it. The
operators are extremely strict about that, as you might expect."Source